"Recently, researchers from Ben-Gurion University of the Negev in Israel have discovered 29 (yes, you read it correctly) ways someone can insert malware into your computer or smartphone via USB port. Luckily, the team of experts suggested solutions on how to stay safe and what to do if attacked.

All 29 malware attacks are divided into four categories:

Attacks that reprogram the

Attacks that reprogram USB’s firmware.

Malware that takes advantage of the flaws in the operating

Electrical attacks.

This shorty guide will try to shed some light on these pieces of malware and what steps you can take to protect your data—whether your computer has already been infected or to prevent the infection in the first place.

Note that these steps are very general, and they might not work against all these threats, that’s why we placed the “What to do now?” section at the end of this guide (with the exception of those threats that have had their protective measures specifically identified by the researchers).

1. RUBBER DUCKY
Rubber Ducky is a ransomware threat developed in 2010 with a primary aim to encrypt your files by acting as a keyboard with pre-entered keystrokes. It works on every operating system that recognizes USB stick as the main input device—keyboard.

The most probable scenario is that the attacker will offer a PIN code to decrypt the files in exchange for money. Unfortunately, a simple Google search shows that the Rubber Ducky USB stick is available for purchase for a mere $50.

2. PHUKD/URFUKED
This malware works on the same principle as Rubber Ducky, with a subtle difference that allows the attacker(s) to choose a specific time to activate the keystrokes thanks to a programmed timer.

WHAT TO DO IF YOU ARE INFECTED WITH EVILDUINO:
You can try to uninstall it with a third-party tool that will scan your computer and look for malware and other issues that can affect your device. Make sure to use a trusted tool that can identify Evilduino, locate it and uninstall it. Try one of these:

4. USBDRIVEBY
Another malware that reprograms microcontrollers and uses a pre-entered keyboard and mouse strokes is USBdriveby. This malware changes DNS settings and unlocks the computer. The device, called Teensy, is one of the commonly used products for this purpose. It can be purchased on Amazon for just $20.

5. USB HARDWARE TROJAN
The USB hardware Trojan uses USB channels such as speakers and keyboard to exfiltrate and compromise users’ data. This Trojan uses two types of channels that are not safeguarded by endpoint security protections—kernel-space and user-space.

WHAT TO DO IF YOUR COMPUTER IS INFECTED WITH THE USB HARDWARE TROJAN?
One of the solutions experts recommend is Real-Time Protection, which identifies and blocks the threat before it starts extracting data. If you are Windows 10 user:1. GO TO SETTINGS/ WINDOWS DEFENDER2. CLICK ON OPEN WINDOWS DEFENDER SECURITY CENTER3. CLICK VIRUS & THREAT PROTECTION4. GO TO VIRUS & THREAT PROTECTION SETTINGS5. TURN ON REAL-TIME PROTECTION
6. RIT (READ IT TWICE) ATTACK VIA USB MASS STORAGE
This malware monitors the target user’s activity and alters files on the infected computer by using a USB mass storage device. RIT can be transmitted not only by USB devices but also by any other external storage unit.

HOW TO REMOVE RIT FROM YOUR COMPUTER:
To get rid of RIT, try an anti-malware program (Comodo, for example). To install Comodo and remove the threat from your computer, follow these steps.

7. ATTACKS ON WIRELESS USB DONGLES
One of the most famous attacks from this category is KeySweeper. It is a USB wall charger that collects data from all wireless keyboards that are in range. The malware attacks Microsoft keyboards manufactured before 2011. Luckily, later models are more difficult to hack.

HOW TO PROTECT YOUR COMPUTER:
To stay safe even if your computer is in KeySweeper’s range, use a keyboard that operates by using Bluetooth technology.

8. TURNIPSCHOOL
This USB spyware tool was inspired by the National Security Agency’s Cottonmouth program, whose main purpose was to spy on people of interest, collect data and take control of a target’s computer. Needless to say, the device is controlled by radio.

9. DEFAULT GATEWAY OVERRIDE
In this scenario, the infected USB stick affects the functioning of the Ethernet adapter and changes the DNS settings. This way, all data is transferred to the hacker’s server.

10. SMARTPHONE-BASED HID ATTACKS
Another type of threat vector are attacks where hackers reprogram USB’s firmware. The malware changes the way a smartphone interacts with the keyboard and mouse. It mimics these peripherals and sends pre-entered keystrokes to the victim’s smartphone.

11. KEYBOARD EMULATION BY MODIFIED USB FIRMWARE
This is another example of how tampered USB firmware can be used for simulating the keyboard. As already mentioned, this type of malware sends pre-determined keystrokes to the victim’s computer.

12. HIDDEN PARTITION PATCH
The USB drive is used as a hidden partition acting like a normal drive, only it cannot be detected or formatted. The purpose of this virus is to exfiltrate data from your computer.

13. DNS OVERRIDE BY MODIFIED USB FIRMWARE
Similar to the Default Gateway Override, this malware changes DNS settings and redirects traffic to the attacker’s server. However, in this case, it is not the microcontroller that is altered, but the USB’s firmware.

POSSIBLE PROTECTIVE MEASURES:
There’s not much you can do—if infected with this type of malware, you will probably have to reinstall the entire operating system.

14. BOOT SECTOR VIRUS
The infected USB stick recognizes the type of operating system based on how it interacts with it. Then, the malware boots the system from the USB.

15. PASSWORD PROTECTION BYPASS PATCH
Password Protection Bypass Patch does just what its name suggests—it enables access to password-protected content by altering the USB’s firmware.

16. VIRTUAL MACHINE BREAK-OUT
In this scenario, researchers have shown how reprogrammed USB firmware can hijack the user’s VirtualBox or their laptop camera for spying.

17. ISEEYOU
Similar to the previous example, researchers have shown how reprogrammed USB firmware can be used for spying on users with their own cameras. The virus even disabled the LED light on the camera, so the user is not even aware that they are being monitored.

18. STUXNET
This malware, together with the below Fanny Worm, uses unprogrammed USB devices and operating system flaws for the purpose of cyber espionage. The malware was famously used to spy on the Iranian nuclear program.

19. FANNY WORM
Fanny Worm is not just similar to Stuxnet; it’s also possibly related to it. Fanny Worm operates on the same principle and is convenient for spying on computers that are not connected to the internet by exploiting Microsoft’s LNK vulnerability. It was developed by Equation Group, a code name for the NSA as revealed by researchers in 2015.

20. DATA HIDING ON USB MASS STORAGE DEVICES
Researchers have shown that even USB sticks that seem empty can contain malware or stolen data. They can be placed in an invisible file or outside of the regular partition.

21. AUTORUN EXPLOITS
Window’s autorun option saved users a lot of time but also opened new horizons for malware lurking on USB sticks. Some of the examples of autorun malware include the Sony BMG Rootkit and the Conficker Worm. Both viruses automatically attack the computer once an infected USB stick or disc is inserted.

HOW TO REMOVE AUTORUN MALWARE FROM YOUR COMPUTER:

Disable the autorun function.

Search every drive’s root for inf.

Open the file with Notepad.

Look for Label= and shellexecute= lines and save the name of the file marked with those lines.

Close the autorun.inf file.

Delete it.

Find the file you have

Delete that file as well.

22. DRIVER UPDATE
This is one of the most complicated attacks because it uses the VeriSign Class 3 Organizational Certificate that allows malware to be marked as “verified.” This way, the virus is identified as a trusted Microsoft program. Luckily, this attack is very complicated to pull off, and because of that, it is not that common.

23. RAM DUMP ATTACK
This malware is stored on a USB device, and it harvests the data from RAM. Attackers use memory dump to infiltrate a victim’s computer. Once they do that, they have access to decryption keys and passwords. This malware is especially convenient for extracting data from point-of-sale (POS) systems.

HOW TO AVOID RAM DUMP ATTACKS:

Use strong passwords.

Use an antivirus program.

Use firewall.

Keep the software updated.

Restrict internet access.

Disable remote access.

24. BUFFER OVERFLOW-BASED ATTACKS
Buffer overflow is an error in the code that occurs when there is more data than the buffer can handle. This is a system’s weak spot, and it can be easily exploited in the service of a malware attack. The code in the malware can be used for gaining access to one’s computer.

25. DEVICE FIRMWARE UPGRADE
Another sneaky way of inserting malware into a USB device is replacing the legitimate firmware with an infected version.

WHAT CAN YOU DO?
To protect your USB device from the malicious upgrade, you can disable firmware updates.

26. USB THIEF
USB Thief is malware that operates incognito on USB devices and uses portable apps such as Firefox or TrueCrypt. It has a strong self-protection mechanism and cannot be copied. The purpose of this malware is to collect data from computers that are not connected to the internet.

27. USBEE ATTACK
USBee Attack is, one might say, probably the work of a mastermind. Until this method was invented, somebody had to bring an infected USB device into the building. However, USBee uses devices that are already in the facility and turns them into data transmitters. This attack can be conducted even if the computer is not connected to the internet.

28. ATTACKS ON SMARTPHONES
Malicious programs can be inserted even into smartphones with USB chargers. Make sure not to charge your phone with public chargers in coffee shops or airports because these devices can be corrupted. Also, do not plug in your phone into a computer.

HOW TO REMOVE MALWARE FROM A SMARTPHONE:

First, you will have to uninstall suspicious apps from your phone. Go to Settings/Applications, select the one you want to uninstall and click Uninstall.

29. USB KILLER
USB Killer is a type of electrical attack. The device has the capacity to physically destroy the entire hardware system. Unfortunately, the computer will not recover from this.
IF YOUR COMPUTER IS INFECTED, HERE’S WHAT TO DO:
According to researchers, there are no fully guaranteed methods to get rid of malware coming through USB stick. You can try conventional techniques listed below; however, nobody can guarantee they will work every time or for every type of attack.

1. One of those methods is restoring your operating system to the previous version. If you are Windows 10 user, you can do the following:

Go to My Computer

Click Properties

Click System Protection

Select System Restore/ Choose a Different Restore Point

Click Next

Select the convenient date

Click Finish

Make sure that all of your files are backed up because once you restore your operating system to the previous version, all programs that were installed after the selected date will be lost.

2. Another method is trying to uninstall the malware from your Programs (Apps) and Features:

Hold Windows+ X

Select Apps and Features

Find the malware

Select it

Click Uninstall

Luckily, my computer is not infected with malware, so for demonstration I used Skype.

3. You can also use the uninstall command:

Hold Windows+ R

Type regedit

Find the malware

Double click on the UninstallString

Copy Value Data

Hold Windows+ R

Paste Value Data

Click OK

Follow the wizard

HOW TO STAY SAFE
There are several general rules you need to follow to protect your USB stick, computer and smartphone from malware. You can at least try to do so with these recommendations:

For the majority of these malware threats, there is no certain strategy on how to get rid of it once you are infected. You can try the methods listed above, but nobody can guarantee it will work.

Also, in most cases, you have to have enough skill to identify the malware without the help of an outside security program. The last option is to re-install your operating system and hope for the best—sometimes, even this doesn’t help.

On the other hand, there are some measures users can take to make their USB devices and computers safer. For instance, do not use someone else’s USB stick, always bring your own charger, use an antivirus program and scan your systems on a regular basis."

The focus of CIRCLean is to establish document exchange even if the used transport layer (the USB stick) cannot be trusted or if there is a suspicion about whether the contained documents are free of malware or not. In the worst case, only the CIRCLean would be compromised, but not the computer reading the target (trusted) USB key/stick.

The code runs on a Raspberry Pi (a small hardware device), which also means it is not required to plug the original USB key into a computer. CIRCLean can be seen as a kind of air gap between the untrusted USB key and your operational computer.

CIRCLean does not require any technical prerequisites of any kind and can be used by anyone. CIRCLean is free software which can be audited and analyzed by third-parties. We also invite all organizations to actively reuse CIRCLean in their own products or contribute to the project.
...How to get your own instance
The source code with all the sources to convert the content and the scripts needed to build your own image to write onto an SD card are available.

If you prefer to use a pre-build image (last update: 2018-01-29), you can use:

I receive and test many new USB devices (hubs, sound cards, adapters, hdd/ssd enclosures, etc - everything except flash drives) on a regular basis, how do I check if they are safe?

Click to expand...

I'd suggest reading current reviews of USB Security Software to know what's favored today for Windows 10 if that's what you are forced to use. Please post what you find best for Windows 10 so others can benefit.

I've been running the same tool for years, and it blocks USB devices and locks USB Drive access. There isn't much to the detection protection, you'll need additional malware / virus detection software too, but it's a good blocker to stop accidental infections.

Software won't protect against USB electrical hacks, so I would suggest that besides whatever software solution you pick to stop infection on all of your machines, you also have a "throw-away" machine with a separate USB port card - and don't plug into your motherboard USB ports - that way if you get a bad device that tries to fry your USB port it only damages an under $10 USB card.

You could install detection and scanning malware / anti-virus software on that machine and use it to pre-screen all USB devices before moving them on to use in your office.

You could also run Linux as most malware doesn't expect that as it's host and won't be active, that's why Linux / RaspberryPi was chosen for the CIRCLean tool, you could set up Linux + CIRCLean and other tools on that USB device Pre-Screening machine to extract files without infection and transfer to another USB device or to the file system on your pre-screening machine.

@hmscott thank you. I don't use USB flash drives, at all, while as far as I understand all the software linked above seems to be focused on them and not on other devices. So, I personally need to verify USB hubs, SSD enclosures, sound cards, ethernet adapters and similar devices - not something fancy or complex. I have a few raspberry pis and would rather use one of them for testing, instead of a separate Windows machine. What would be your recommendation in this particular scenario?

@hmscott thank you. I don't use USB flash drives, at all, while as far as I understand all the software linked above seems to be focused on them and not on other devices. So, I personally need to verify USB hubs, SSD enclosures, sound cards, ethernet adapters and similar devices - nothing too fancy or complex. I have a few raspberry pis and would rather use one of them for testing, instead of a separate Windows machine. What would be your recommendation in this particular scenario?

Click to expand...

I already gave the recommendations, it's the same for USB Flash drives and USB HDD's and USB SSD's, etc.

As far as the other USB devices, that's why I suggested a USB expansion card instead of plugging them in the motherboard. That way if there is an electrical problem - or electronic kill payload (battery or USB power short) on the device it will destroy the expansion card USB port, instead of the one on the motherboard.

If the other non-storage USB devices have a physically hidden storage device piggy backed onto the USB device to deliver malware, that storage will also be treated the same and that storage will blocked from loading the malware by the USB security software.

If you plug in a non-storage USB device and a storage device shows up on the USB Security Software, then you've found a baddie and can then disassemble it and remove the piggy backed storage device, although for the most part - they are cheap enough that you could just destroy it and be done with it.

You don't *need* to use a Raspberry Pi device to host a Linux / USB software solution, it's just a simple inexpensive example used to show how you can dedicate an inexpensive device to the task instead of using a whole full PC.

Using the CIRCLean tool + a new inexpensive Raspberry Pi device kit, you could set up Linux + CIRCLean as a dedicated device - maybe buy a minimal kit to put it all together easily. Or, use an old PC running Windows + USB Security software + USB expansion slot card, either way works.

If you find anything else interesting in this realm, please let us know.